Indulge me in a little test. Create a text file on your PC. Copy and paste this into it:
<html>
<body>
<br>My secret plans to become the next billionaire.
<br>My secret recipe for killer scones to sell to Starbucks.
<br>My password to all my websites.
</body>
</html>
Save the file with the name “TOP_SECRET.html”. Now, open your browser, and browse to the file (File => Open => Browse => (select your TOP_SECRET.html file) => Click: OK. What you do you see?
My secret plans to become the next billionaire.
My secret recipe for killer scones to sell to Starbucks.
My password to all my websites.
So, your browser can see all the data on your computer. Okay… should you care? YES. Browser security is very important. Some newer browsers have implemented security sandboxes too. Yippee! (Security sandboxes are for geeks what real sandboxes are for children: a cause for high excitement.)
For Windows, IE10 now has “Enhanced Protected Mode.” If you’re running Windows 7 or Windows 8, I would recommend that you install IE10, and activate Enhanced Protected Mode.
Why isn’t this activated AUTOMATICALLY? I’m glad that Microsoft made the new security feature, but it’s annoying that I have to go into my browser options and click the checkboxes. More than that, it makes me worry that other people won’t take the time to do the same, and their browsers won’t be secure.
After activating Enhanced Protected Mode, I tried to access my TOP_SECRET.html file. It still worked. I didn’t expect that. What is the Enhanced Protected Mode bringing to the table, and how can I secure some private files (like TOP_SECRET.html) so the browser couldn’t see them? However, the Enhanced Protected Mode is blocking some content: now I can’t open PDF files anymore. Lovely.
Unfortunately, IE10 is only available if you are running Windows 7 or Windows 8. It is not available for Windows XP or Windows Vista. So, what about IE9? Well, it’s already been hacked. The older but similar IE9 functionality called Protected Mode isn’t quite as secure. A really telling quote from the article linked above: “Bekrar quickly added that Protected Mode in the beta version of IE 10 running on Windows 8 is close to gaining parity with the current Chrome sandbox.”
What’s this about Chrome? Give Google some huge kudos for Chrome’s security. Now, you have to take this study with a grain of salt, because Google paid for the research, but the details are very telling. Since reading this, I have uninstalled Firefox from my computers, and installed Chrome instead. Now, Chrome still doesn’t protect your TOP_SECRET.html file. (You can still browse to: “file:///C:/Users/{your username}/Documents/TOP_SECRET.html” and see your secret plan to become the next billionaire.) But at least Chrome security is heading in the right direction. But, like anything in the security world, you can’t rest on your laurels. The Chrome sandbox has also been broken.
Note: the US CERT has a good article about browser configuration. It’s a little old, but some of the information is still applicable. CERT needs to update this article, or at least point users to their updated browser configuration docs.
For Mac OS X, the newer versions of Safari also have a sandbox. The sandbox was implemented with Safari 5.1, so if you can update Safari to at least version 5.1, that will help. If you can’t, it would be better to run Chrome. There is a version of Chrome for the Mac, so download that, install it, and run it.
What to do:
a) For Windows: upgrade to Windows 7 or 8. Install IE 10, and activate Enhanced Protected Mode. If you really CAN’T upgrade to Windows 7 or 8, at least start using Chrome instead of IE or Firefox.
b) For Mac OS X: update to Safari 5.1 or later, or use Chrome.
c) If you have top secret data, the only 100% guaranteed way to keep it private is to disconnect it from the internet.
d) If you’re using a newer version of Internet Explorer, you also need to disable proxy autodetection.
e) Learn more about targeted advertising and disable cookies.
Recent Comments